Introduction

Orogene is a package manager for building up and writing node_modules/ directories, as well as a general toolkit for working with related packages and APIs.

Configuration

The oro.kdl Config File

Options are read from three possible oro.kdl file locations:

1. oro.kdl, located in the root of the current project.
2. oro.kdl, located in a system-dependent location
3. Any file specified by using the global --config FILE CLI option. When this option is specified, neither of the other configuration files are loaded, and file-based configuration happens entirely off the given file. Environment variables and command line options will still be loaded normally.

All files files use KDL as their configuration language. Key/value options are typically specified using node-name "value" format. For example, foo "bar" would be the equivalent of --foo bar. For boolean operations, use foo true and foo false. If an empty node name is found, that will be treated as if it had a value of true. Negations (no-foo) are not supported.

Some configurations, such a Options, exist in nested nodes. Refer to their dedicated sections for more details.

Options

In Orogene, "options" refers to configurations that can be provided through the command line.

Available Options

All available options for individual commands are available by doing oro <subcommand> --help, or by visiting the individual commands' documentation pages on this site.

"Global Options" can potentially be used across all commands and have a shared meaning. Global options are always listed and accepted for all commands, even if the individual commands do not make use of them.

Commands with an "Apply Options" section support implicit dependency application. Any that don't have that section do not interact with node_modules at all.

Specifying Options

Orogene options can be provided in three different ways, in order of precedence:

1. Direct command line flags (--foo blah), which can be negated (--no-foo)
2. KDL configuration file(s) (oro.kdl), inside the options node.
3. Environment variables, prefixed by oro_config_ (oro_config_foo=blah)

Options from oro.kdl

Options can be specified through oro.kdl by using the toplevel options node. For example:

// ./oro.kdl
options {
    registry "https://my.private.registry/_path"
    emoji false
}

Managing node_modules/

The whole point of Orogene is to manage node_modules/ directories for consumption by various tooling, such as Node.js, transpilers, bundlers, linters, etc.

The process of managing node_modules/ and making sure all the appropriate dependencies are in place is called "apply" in orogene. Application happens through a number of commands, automatically. For example, oro reapply, oro add, oro remove, and oro run all make sure to apply your dependencies as needed, to make sure your node_modules/ corresponds to your manifest and lockfile as much as possible. You can disable this behavior, as desired.

Application blow-by-blow

By default, the apply operation will do the following things:

1. Read dependencies declared in package.json.
2. Generate a dependency tree based on those.
   1. If a lockfile (package-lock.kdl or package-lock.json) already exists, it will be used to supplement the resolution.
   2. If any dependencies in the lockfile are missing or don't correspond to expected dependencies, the tree will ignore that particular lockfile data and resolve the item(s) itself.
3. Scan through the existing node_modules/, if any, and prune anything "extraneous" (aka, removed/outdated dependencies, stray files, etc).
4. Extract any missing packages into node_modules, into one of two modes:
   1. isolated (default, preferred)
   2. hoisted (possibly more compatible, discouraged because it exposes phantom dependencies)
5. Execute any preinstall scripts on the entire tree, including the root package.
6. Link/shim any bins in the dependencies to their appropriate node_modules/.bin directories.
7. Execute install and postinstall scripts on the entire tree, including the root package.
8. Finally, the updated lockfile is written to package-lock.kdl.

Modifying Application

All commands that execute implicit apply accept the same options for modifying its behavior. To see the full list, refer to the apply command options, which are also listed in the -h/--help for any command that performs implicit apply.

Some options of note:

--no-apply

Skips the entire apply operation. This option will have no effect on the oro apply command, which forces an apply regardless of your settings.

This option can be useful if you don't like implicit applies and would like to generally configure Orogene to skip them by default, but let you use --apply when you happen to want to apply something. To do this, add apply false to your oro.kdl options node.

--locked

Instead of using lockfiles as a suggestion/optimization, this option will force an error if the dependencies declared in package.json don't correspond to the ones declared in an existing package-lock.kdl.

This option has no effect in oro add/oro remove, for hopefully obvious reasons.

--lockfile-only

Resolves the dependency tree and writes the lockfile as appropriate, but skips anything having to do with node_modules itself, including pruning and scripts.

--no-lockfile

Skips writing, or updating the lockfile entirely. As of right now, this will still read the lockfile to inform resolution.

Adding or Removing Dependencies

You can modify your current project's dependencies three different ways:

1. Use the oro add command.
2. Use the oro remove command.
3. Edit package.json manually and rerun oro apply.

When any of these methods are used, orogene will update the current dependency tree such that the changed dependencies are reflected. This process means that the dependencies specified in package-lock.kdl won't necessarily be obeyed: In general, Orogene will do its best to preserve a dependency's previous position in the tree, but if a conflict happens, it may be moved or replaced.

In order to guarantee that Orogene only accepts tree modifications on oro add/oro remove, you can use the --locked option.

Specifier syntax

A package specifier in orogene is a string describing which package should be resolved. This string, in some cases (such as in the CLI) can include a name under which to install that dependency. Specifiers are used both through the add CLI commands, or in the value field in your dependency objects, next to the requested package names.

Alias

Syntax: <alias>@<specifier>

Alias specifiers work a lot like NPM specifiers, but are able to force a dependency to use a certain name in the node_modules tree.

When specifying an alias for an NPM registry package, you must use the npm: prefix before the NPM specifier itself. All other specifiers can be provided as-is.

Examples: underscore@npm:lodash, underscore@github:lodash/lodash

NPM

Syntax: <package-name>[@(<semver> | <tag>)]

NPM specifiers refer to "regular" NPM packages from a registry. The <package-name> can be any valid scoped or unscoped package name. If followed by an @, either a semver range or a dist-tag can be specified.

When used in package.json, the <package-name> must be omitted, and it is recommended that only semver ranges be used.

Examples: lodash, lodash@3, @axodotdev/oranda@1.2.3

Path

Syntax: <./relative/path> | <C:\absolute\path>

Path specifiers refer to the directory in the local machine where a package exists. They can either be relative (in which case they must be prefixed by ./ or .\), or absolute (in which case they must start with either / or a drive letter).

Examples: ./path/to/my/proj, C:\src\foo

Hosted Git

Syntax: <host>:<org>/<proj>[#(<rev> | semver:<semver>)]

Hosted git specifiers refer to packages on a handful of well-known hosted git platforms, and can be used as a shorthand. You may optionally provide either a git rev or a semver:-prefixed semver range following a # to resolve to a particular version, instead of the latest HEAD.

Supported platforms: github, gitlab, gist, bitbucket.

Examples: github:orogene/orogene, gist:foo/bar#deadcafe, gitlab:baz/quux#semver:^1.2

Git

Syntax: [git+]<git-url>[#(<rev> | semver:<semver>)]

Arbitrary git URLs can also be provided to Orogene. For git:// URLs, no prefix is necessary, but other URL types must include a git+ prefix. You may optionally provide either a git rev or a semver:-prefixed semver range following a # to resolve to a particular version, instead of the latest HEAD.

Examples: git://github.com/lodash/lodash, git+ssh://codeberg.org/foo/bar.git#semver:^1.2.3

Phantom Dependencies

"Phantom dependencies" refers to a phenomenon where dependencies that weren't directly declared in a package's package.json can be imported from those packages. It arises primarily from "hoisted" node_modules trees where, in order to reduce duplication, shared dependencies are moved as high up the tree as possible, exposing them to everyone else at that level or deeper.

By default, Orogene uses an "isolated" linking strategy to avoid this: All dependencies are first written to <root>/node_modules/.oro-store/<dep>-12345/node_modules/<dep>, then every dependency inside the store, along with the root package, gets their own individual node_modules that contains symlinks back into the store, only for dependencies directly declared in their package.json. This avoids the phantom dependencies problems and ensures that you don't accidentally forget to add a dependency to your package.json just because of the state of your dependency tree at any given point in time.

The catch with this isolated mode is that most NPM packages in the public registry have been written in a world where the NPM CLI defaults to "hoisted" installations, so a number of packages out in the wild depend on this behavior, purely by accident. The best fix for this is simply to patch the offending package and install an updated version.

When this is not possible, you can use --hoisted to force Orogene to apply dependencies in a classic, flattened-as-much-as-possible style. As with other options, this can be added to your oro.kdl as needed.

Authentication and Private Registries

Orogene supports logging in/out of both the main regisry, as well as alternative/private registries. It supports three authentication methods:

Using oro login

oro login supports configuring all authorization methods, and is able to authenticate and log in and fetch a token for Bearer Token authorization.

When done, it will automatically add the relevant authorization credentials to your global oro.kdl. If --config <file> is passed in, credentials will be written to <file> instead. You can also pass in --registry to specify a registry to log in to, and --scope to associate this registry with a particular scope.

Authorization Credentials

There's three possible method of providing authorization information when interacting with a registry. Each of these can be configured by the options > auth node in oro.kdl, with the node name being the registry the auth information applies to. Additionally, options > scoped-registries will be used to determine which registry auth should be picked for a particular package.

For example:

// oro.kdl
options {
    scoped-registries {
        "@mycompany" "https://my.company.registry.net"
    }
    auth {
        "https://registry.npmjs.org" token="deadbeef"
        "https://my.company.registry.net" username="myuser" password="mypassword"
    }
}

When making any requests to a registry, configured credentials will always be automatically included in the Authorization header, encoded appropriately. Authorization will also take into account scopes when fetching or pushing individual packages and their metadata.

When package tarballs are hosted on a separate registry than the package's configured registry (as determined by its scope or lack thereof), authorization information will not be sent.

Bearer Token

This is usually acquired through a login operation with the registry, and is the preferred and more secure way of managing authorization.

Bearer token auth will be sent in the form of an HTTP header that looks like:

Authorization: Bearer deadbeefbadc0ffee

You can configure a bearer token using oro login by either invoking it as-is, in which case you will be taken through an actual login flow with the registry, or you can pass a --token <token> option directly to skip this, if you already have a known token. You can also pass --auth-type legacy to log in using classic command-line-prompt username/password instead of web-based login. Unlike the main NPM CLI, an email is not collected, and a new account cannot be create using oro login.

Given an invocation like oro login --registry https://my.custom.registry.net --scope @mycompany, you will be taken to that registry's login page, and, when done, your oro.kdl will look something like this:

// oro.kdl
options {
    scoped-registries {
        "@mycompany" "https://my.custom.registry.net"
    }
    auth {
        "https://my.custom.registry.net" token="deadbeef"
    }
}

In NPM CLI terms, this maps to :_authToken and :token, which are synonyms.

Basic Auth

You can provide a username and (optional) password to send to the configured registry. This is not recommended if you can avoid it, since it involves storing your auth information in plain text in an oro.kdl file, but is a common practice for third-party registries.

Note that unlike the official NPM CLI, the password should not be base64-encoded, and should be stored in its original unencoded text.

You can use oro login to configure this authorization method, although no authentication will happen: it will simply write it to your oro.kdl. To do this, pass --username <username> and an optional --password <password> when invoking oro login.

Basic auth will be sent in the form of an HTTP header that looks like:

Authorization: Basic ${toBase64(username + ":" + password)}

In NPM CLI terms, this maps to :username and :_password, and does not require an :email equivalent to be set.

Legacy Auth

Finally, you can provide what Orogene calls a "legacy" auth token, which is essentially basic auth, and is used by certain tools to configure login information. This token is not usually secure, since it's supposed to be base64-encoded username and password information.

You can use oro login to configure this authorization method, although no authentication will happen: it will simply write it to your oro.kdl. To do this, pass --legacy-token <token> when invoking oro login.

Legacy auth will be sent as-is to the chosen registry:

Authorization: Basic deadbeefbadc0ffee

In NPM CLI terms, this maps to :_auth.

Telemetry

Orogene supports fully opt-in, anonymous telemetry in order to improve the project and find issues that would otherwise not get reported, or lack enough information to take action on.

Configuration

You'll be prompted on first orogene run if you would like to enable telemetry. It will not be enabled unless you explicitly say yes to the prompt. The configuration will then be saved to your global oro.kdl config file, under options { telemetry <value>; }. You can change your decision at any time by changing this setting.

Telemetry is currently processed using Sentry.io. If you'd like to send telemetry information to your own Sentry organization, you can do so with the --sentry-dsn option (or sentry-dsn in your oro.kdl files, either global or per-project, or oro_sentry_dsn environment variable).

Privacy & PII

Orogene uses as many settings as possible in Sentry to make sure all possible PII is scrubbed from telemetry events. Additionally, data is only retained for 90 days, including error reports, at which point it's automatically scrubbed by Sentry. Unfortunately, this is not configurable.

Additionally, when errors happen, the oro-debug-*.log file may be uploaded as an attachment to the error report. This may contain paths related to your project, which may include the username, and the names of registries and packages you may be using. It is recommended that you not opt in to telemetry if this is unacceptable.

Public Dashboard

In the interest of sharing, transparency, and helping Orogene's users, a number of anonymous statistics collected from telemetry are made available on a public Grafana dashboard.

Please note that dashboard queries may change at any time, but the general intentions behind privacy/PII concerns will be maintained.

oro add

Adds one or more dependencies to the target package

Usage:

oro add [OPTIONS] <SPECS>...

Arguments

<SPECS>...

Specifiers for packages to add

Options

--prefix <PREFIX>

Prefix to prepend to package versions for resolved NPM dependencies.

For example, if you do oro add foo@1.2.3 --prefix ~, this will write "foo": "~1.2.3" to your package.json.

[default: ^]

-D, --dev

Add packages as devDependencies

-O, --opt

Add packages as optionalDependencies

[aliases: optional]

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Apply Options

--no-apply

Prevent all apply operations from executing

--prefer-copy

When extracting packages, prefer to copy files files instead of linking them.

This option has no effect if hard linking fails (for example, if the cache is on a different drive), or if the project is on a filesystem that supports Copy-on-Write (zfs, btrfs, APFS (macOS), etc).

--lockfile-only

Whether to skip restoring packages into node_modules and just resolve the tree and write the lockfile

--locked

Make the resolver error if the newly-resolved tree would defer from an existing lockfile

[aliases: frozen]

--no-scripts

Skip running install scripts

--default-tag <DEFAULT_TAG>

Default dist-tag to use when resolving package versions

[default: latest]

--concurrency <CONCURRENCY>

Controls number of concurrent operations during various apply steps (resolution fetches, extractions, etc).

Tuning this might help reduce memory usage (if lowered), or improve performance (if increased).

[default: 50]

--script-concurrency <SCRIPT_CONCURRENCY>

Controls number of concurrent script executions while running run_script.

This option is separate from concurrency because executing concurrent scripts is a much heavier operation.

[default: 6]

--no-lockfile

Disable writing the lockfile after operations complete.

Note that lockfiles are only written after all operations complete successfully.

--hoisted

Use the hoisted installation mode, where all dependencies and their transitive dependencies are installed as high up in the node_modules tree as possible.

This can potentially mean that packages have access to dependencies they did not specify in their package.json, but it might be useful for compatibility.

By default, dependencies are installed in "isolated" mode, using a symlink/junction structure to simulate a dependency tree.

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro apply

Applies the current project's requested dependencies to node_modules/, adding, removing, and updating dependencies as needed. This command is intended to be an idempotent way to make sure your node_modules is in the right state to execute, based on your declared dependencies.

This command is automatically executed by a number of Orogene subcommands. To force a full reapplication of node_modules, consider using the oro reapply command.

Usage:

oro apply [OPTIONS]

[aliases: a, ap, app]

Options

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Apply Options

--no-apply

Prevent all apply operations from executing

--prefer-copy

When extracting packages, prefer to copy files files instead of linking them.

This option has no effect if hard linking fails (for example, if the cache is on a different drive), or if the project is on a filesystem that supports Copy-on-Write (zfs, btrfs, APFS (macOS), etc).

--lockfile-only

Whether to skip restoring packages into node_modules and just resolve the tree and write the lockfile

--locked

Make the resolver error if the newly-resolved tree would defer from an existing lockfile

[aliases: frozen]

--no-scripts

Skip running install scripts

--default-tag <DEFAULT_TAG>

Default dist-tag to use when resolving package versions

[default: latest]

--concurrency <CONCURRENCY>

Controls number of concurrent operations during various apply steps (resolution fetches, extractions, etc).

Tuning this might help reduce memory usage (if lowered), or improve performance (if increased).

[default: 50]

--script-concurrency <SCRIPT_CONCURRENCY>

Controls number of concurrent script executions while running run_script.

This option is separate from concurrency because executing concurrent scripts is a much heavier operation.

[default: 6]

--no-lockfile

Disable writing the lockfile after operations complete.

Note that lockfiles are only written after all operations complete successfully.

--hoisted

Use the hoisted installation mode, where all dependencies and their transitive dependencies are installed as high up in the node_modules tree as possible.

This can potentially mean that packages have access to dependencies they did not specify in their package.json, but it might be useful for compatibility.

By default, dependencies are installed in "isolated" mode, using a symlink/junction structure to simulate a dependency tree.

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro login

Log in to the registry

Usage:

oro login [OPTIONS]

Options

--auth-type <AUTH_TYPE>

What authentication strategy to use with login

[default: web] [possible values: web, legacy]

--token <TOKEN>

Set an authorization token directly (the equivalent of NPM's :token or :_authToken)

--username <USERNAME>

Set a username directly instead of logging in to a registry

--password <PASSWORD>

If a username is provided, this (optional) password will be set along with it

--legacy-token <LEGACY_TOKEN>

Set a legacy authorization token (the equivalent of NPM's :_auth)

--scope <SCOPE>

Associate an operation with a scope for a scoped registry

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro logout

Logout from the registry

Usage:

oro logout [OPTIONS]

Options

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro ping

Ping the registry

Usage:

oro ping [OPTIONS]

Options

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro reapply

Removes the existing node_modules, if any, and reapplies it from scratch. You can use this to make sure you have a pristine node_modules

Usage:

oro reapply [OPTIONS]

Options

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Apply Options

--no-apply

Prevent all apply operations from executing

--prefer-copy

When extracting packages, prefer to copy files files instead of linking them.

This option has no effect if hard linking fails (for example, if the cache is on a different drive), or if the project is on a filesystem that supports Copy-on-Write (zfs, btrfs, APFS (macOS), etc).

--lockfile-only

Whether to skip restoring packages into node_modules and just resolve the tree and write the lockfile

--locked

Make the resolver error if the newly-resolved tree would defer from an existing lockfile

[aliases: frozen]

--no-scripts

Skip running install scripts

--default-tag <DEFAULT_TAG>

Default dist-tag to use when resolving package versions

[default: latest]

--concurrency <CONCURRENCY>

Controls number of concurrent operations during various apply steps (resolution fetches, extractions, etc).

Tuning this might help reduce memory usage (if lowered), or improve performance (if increased).

[default: 50]

--script-concurrency <SCRIPT_CONCURRENCY>

Controls number of concurrent script executions while running run_script.

This option is separate from concurrency because executing concurrent scripts is a much heavier operation.

[default: 6]

--no-lockfile

Disable writing the lockfile after operations complete.

Note that lockfiles are only written after all operations complete successfully.

--hoisted

Use the hoisted installation mode, where all dependencies and their transitive dependencies are installed as high up in the node_modules tree as possible.

This can potentially mean that packages have access to dependencies they did not specify in their package.json, but it might be useful for compatibility.

By default, dependencies are installed in "isolated" mode, using a symlink/junction structure to simulate a dependency tree.

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro remove

Removes one or more dependencies from the target package

Usage:

oro remove [OPTIONS] <NAMES>...

[alias: rm]

Arguments

<NAMES>...

Package names of dependencies to remove. These will be removed from all dependency types

Options

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Apply Options

--no-apply

Prevent all apply operations from executing

--prefer-copy

When extracting packages, prefer to copy files files instead of linking them.

This option has no effect if hard linking fails (for example, if the cache is on a different drive), or if the project is on a filesystem that supports Copy-on-Write (zfs, btrfs, APFS (macOS), etc).

--lockfile-only

Whether to skip restoring packages into node_modules and just resolve the tree and write the lockfile

--locked

Make the resolver error if the newly-resolved tree would defer from an existing lockfile

[aliases: frozen]

--no-scripts

Skip running install scripts

--default-tag <DEFAULT_TAG>

Default dist-tag to use when resolving package versions

[default: latest]

--concurrency <CONCURRENCY>

Controls number of concurrent operations during various apply steps (resolution fetches, extractions, etc).

Tuning this might help reduce memory usage (if lowered), or improve performance (if increased).

[default: 50]

--script-concurrency <SCRIPT_CONCURRENCY>

Controls number of concurrent script executions while running run_script.

This option is separate from concurrency because executing concurrent scripts is a much heavier operation.

[default: 6]

--no-lockfile

Disable writing the lockfile after operations complete.

Note that lockfiles are only written after all operations complete successfully.

--hoisted

Use the hoisted installation mode, where all dependencies and their transitive dependencies are installed as high up in the node_modules tree as possible.

This can potentially mean that packages have access to dependencies they did not specify in their package.json, but it might be useful for compatibility.

By default, dependencies are installed in "isolated" mode, using a symlink/junction structure to simulate a dependency tree.

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

oro view

Get information about a package

Usage:

oro view [OPTIONS] <PKG>

[aliases: v, info]

Arguments

<PKG>

Package spec to look up

Options

--default-tag <DEFAULT_TAG>

Default dist-tag to use when resolving package versions

[default: latest]

-h, --help

Print help (see a summary with '-h')

-V, --version

Print version

Global Options

--root <ROOT>

Path to the project to operate on.

By default, Orogene will look up from the current working directory until it finds a directory with a package.json file or a node_modules/ directory.

[default: .]

--registry <REGISTRY>

Registry used for unscoped packages

[default: https://registry.npmjs.org]

--scoped-registry <SCOPED_REGISTRIES>

Registry to use for a specific @scope, using --scoped-registry @scope=https://foo.com format.

Can be provided multiple times to specify multiple scoped registries.

--auth <AUTH>

Credentials to apply to registries when they're accessed. You can provide credentials for multiple registries at a time, and different credential fields for a registry.

The syntax is --auth {my.registry.com}token=deadbeef --auth {my.registry.com}username=myuser.

Valid auth fields are: token, username, password, and legacy-auth.

--cache <CACHE>

Location of disk cache.

Default location varies by platform.

--config <CONFIG>

File to read configuration values from.

When specified, global configuration loading is disabled and configuration values will only be read from this location.

--loglevel <LOGLEVEL>

Log output level/directive.

Supports plain loglevels (off, error, warn, info, debug, trace) as well as more advanced directives in the format target[span{field=value}]=level.

[default: info]

-q, --quiet

Disable all output

--json

Format output as JSON

--no-progress

Disable the progress bars

--no-emoji

Disable printing emoji.

By default, this will show emoji when outputting to a TTY that supports unicode.

--no-first-time

Skip first-time setup

--no-telemetry

Disable telemetry.

Telemetry for Orogene is opt-in, anonymous, and is used to help the team improve the product. It is usually configured on first run, but you can use this flag to force-disable it either in an individual CLI call, or in a project-local oro.kdl.

--sentry-dsn <SENTRY_DSN>

Sentry DSN (access token) where telemetry will be sent (if enabled)

--proxy

Use proxy to delegate the network.

Proxy is opt-in, it uses for outgoing http/https request. If enabled, should set proxy-url too.

--proxy-url <PROXY_URL>

A proxy to use for outgoing http requests

--no-proxy-domain <NO_PROXY_DOMAIN>

Use commas to separate multiple entries, e.g. .host1.com,.host2.com.

Can also be configured through the NO_PROXY environment variable, like NO_PROXY=.host1.com.

--retries <RETRIES>

How many times to retry failed network operations

[default: 2]

Contributing to orogene

Finding Something to Do

Orogene has a roadmap and welcomes contributions! Issues looking for outside help are tagged as help wanted. On top of that, there are good first issue for those looking to get started more entry-level tasks.

Coding Conventions

Orogene uses conventional commits as its commit message format. Ideally, any pull requests will already use this style when submitting, but commit messages will simply be editorialized on merge if not, so consider this a soft request.

This repo uses both clippy and rustfmt to maintain consistency. Before submitting a pull request, please make sure to run both cargo clippy --all and cargo fmt --all.

Getting up and running

Orogene is a pretty run-of-the-mill Rust app and only requires a couple of steps to get up and running.

Build Dependencies

You will need git in order to fetch the orogene sources. Next, to get a checkout:

git clone https://github.com/orogene/orogene.git
cd orogene

Additionally, some tools are required to compile/build orogene:

1. (Linux only) An available OpenSSL installation: https://docs.rs/openssl/latest/openssl/#automatic
2. Cargo, which can be installed using rustup
3. Clippy, which is a component that should be added through rustup.

orogene is built against relatively recent stable versions of Rust. For a specific version to install, refer to Cargo.toml's [package] section, as rust-version.

If you plan on builing wasm packages for orogene sub-crates, you'll also need:

1. cargo install -f wasm-bindgen-cli
2. cargo install -f wasm-pack (or installed prebuilt binaries)

Building the CLI

Linux has a couple of build requirements. These can be installed on ubuntu with the following command. Adapt as needed for your distro:

sudo apt-get install build-essential pkg-config libssl-dev

On Windows, you'll need a working msvc.

You can build the CLI using a plain cargo build (optionally with --release), and binaries will be available in your local ./target/{debug,release}/oro[.exe] directory.

The oro/oro.exe is a standalone binary but, on Linux, does require a valid installation of openssl 1 installed on the system in order to run.

Building WASM packages

There's currently two packages with support for WASM, only one of which should really be used right now: crates/nassun and crates/node-maintainer. Both of them are published to the NPM registry as part of orogene's release process.

node-maintainer is orogene's dependency resolver and is responsible for calculating dependency trees based on package.json, lockfiles, etc. Extraction to filesystems is not supported in WASM mode because it is built for wasm32-unknown-unknown, not wasm-wasi. node-maintainer also exports nassun's APIs under the same wasm package, so it's not recommended to install both nassun and node-maintainer wasm packages.

To build node-maintainer:

1. Make sure you're in the orogene project root.
2. wasm-pack build crates/node-maintainer --target web
3. There will now be an NPM package under crates/node-maintainer/pkg that can be packed, copied (to vendor it somewhere, etc).

Working on the installer

Orogene's "install" command is called apply. During development, you can call it like this:

$ cargo run [--release] -- apply [--root ../path/to/test/react-app] [--oro-cache ./path/to/cache] [--loglevel info]

It might be worth it to run with --release every time if you plan on seeing applies to completion, because debug builds of orogene are pretty slow.

The apply command itself is defined in src/commands/apply.rs, and is pretty much a UI wrapper around crates/node-maintainer's APIs.

If you're only interested in the dependency resolution aspect of apply, you can run with --lockfile-only, which will skip the much more expensive extraction process.

Logging

orogene uses tracing and tracing-subscriber for tracing and logging capabilities, which can be configured through --loglevel. The syntax for this option is documented here. For example, cargo run -- apply --loglevel node_maintainer=trace,info will default to INFO-level logging for everything, but also include TRACE-level logging for anything logged by node-maintainer (node the underscore. It's based on the module name, not the crate.)

Tagging and Releasing New Versions

Releasing orogene is a four-step process:

1. First, we make sure all the READMEs are up-to-date.
2. Then, a changelog is generated, editorialized, and commited.
3. After that, a command is run to release the entire repository in lockstep.
4. Finally, an automated process takes care of generating a GitHub release and building prebuilt binaries for distribution.

In order to follow these steps, you'll need to intall cargo-make:

$ cargo install -f cargo-make

Generate/Update READMEs

First, make sure crates/README.md is up-to-date with the latest crates available under crates/, in case any of them have been added, removed, or had significant description changes.

$ cargo make readmes

This command will update and/or update crate READMEs based on rustdoc from their main modules.

If there were any changes, add and commit them with git add and git commit -m 'docs: update READMEs'

Changelog

$ cargo make changelog X.Y.Z

Where X.Y.Z is the full target semver version of the intended upcoming release.

This will automatically update CHANGELOG.md with commits based on conventional-commits in the git log.

If any additional messages are to be included, please add them under the new version header.

git add CHANGELOG.md and git commit -m 'docs: update changelog' to complete this step.

Tag and Release

First, do a quick dry run:

$ cargo make release X.Y.Z

If everything looks good, execute it for real. You'll need to make sure you're logged into both GitHub and crates.io and allowed to publish and push to GitHub main:

$ cargo make release X.Y.Z --execute

This will take care of publishing all the crates in the repository under version X.Y.Z to crates.io, tagging a new git tag, and pushing everything to GitHub when it's done.

GitHub Release

orogene uses cargo-dist for generating prebuilt binaries and GitHub Releases. No intervention is necessary here. This is handled by a GitHub Action configured under .github/workflows/release.yml.

It may take some time for everything to build, but the final release will be made available under https://github.com/orogene/orogene/releases/tag/vX.Y.Z, at which point the new version may be announced.

Code of Conduct

When something happens

If you see a violation of our community's standards of Conduct, follow these steps:

1. Let the person know that what they did is not appropriate and ask them to stop and/or edit their messages.
2. That person should immediately stop the behavior and correct the issue.
3. If this doesn’t happen, or if you're uncomfortable speaking up, contact the moderation team.
4. As soon as available, a moderator will look into the issue, and take further action, starting with a warning, then temporary block, then long-term repo or organization ban.

When reporting, please include any relevant details, links, screenshots, context, or other information that may be used to better understand and resolve the situation. See Moderation for more information about the moderation process.

Community Commitment

We as a community are committed to providing a friendly, inclusive, safe and harassment-free environment for all, regardless of level of experience, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, nationality, or other similar characteristics.

Conduct

In this community we strive to go the extra step to look out for each other. Don’t just aim to be technically unimpeachable, try to be your best self. In particular, avoid flirting with offensive or sensitive issues, particularly if they’re off-topic; this all too often leads to unnecessary fights, hurt feelings, and damaged trust; worse, it can drive people away from the community entirely.

And if someone takes issue with something you said or did, resist the urge to be defensive. Just stop doing what it was they complained about and apologize. Even if you feel you were misinterpreted or unfairly accused, chances are good there was something you could’ve communicated better — remember that it’s your responsibility to make your fellow community memebers comfortable. Everyone wants to get along and we are all here first and foremost because we want to talk about cool technology. You will find that people will be eager to assume good intent and forgive as long as you earn their trust.

• Please avoid using overtly sexual aliases or other nicknames that might detract from a friendly, safe and welcoming environment for all.
• Please be kind and courteous. There’s no need to be mean or rude.
• Respect that people have differences of opinion and that every design or implementation choice carries a trade-off and numerous costs. There is seldom a right answer.
• Please keep unstructured critique to a minimum. If you have solid ideas you want to experiment with, make a fork and see how it works.
• We will exclude you from interaction if you insult, demean or harass anyone. That is not welcome behavior. We interpret the term “harassment” as including the definition in the Citizen Code of Conduct; if you have any lack of clarity about what might be included in that concept, please read their definition. In particular, we don’t tolerate behavior that excludes people in socially marginalized groups.
• Private harassment is also unacceptable. No matter who you are, if you feel you have been or are being harassed or made uncomfortable by a community member, please contact the moderation team immediately. Whether you’re a regular contributor or a newcomer, we care about making this community a safe place for you and we’ve got your back.
• Please do not try to present "reverse-ism" versions of the conduct violations that apply specifically to underrepresented groups. Examples of reverse-isms are "reverse racism", "reverse sexism", "heterophobia", and "cisphobia".
• Do not make casual mention of slavery or indentured servitude and/or false comparisons of one's occupation or situation to slavery. Please consider using or asking about alternate terminology when referring to such metaphors in technology.
• Likewise any spamming, trolling, flaming, baiting or other attention-stealing behavior is not welcome.

These standards of conduct apply to all official venues, including Discord channels, GitHub repositories, the Twitter community and all other forums.

Moderation

These are the policies for upholding our community’s standards of Conduct. If you feel that a thread needs moderation, please contact the moderation team.

1. Remarks that violate the community standards of conduct, including hateful, hurtful, oppressive, or exclusionary remarks, are not allowed. (Cursing is allowed, but never targeting another user, and never in a hateful manner).
2. Remarks that moderators find inappropriate, whether listed in the code of conduct or not, are also not allowed.
3. Moderators will first respond to such remarks with a warning.
4. If the warning is unheeded, the user will be “kicked,” i.e., kicked out of the communication channel to cool off.
5. If the user comes back and continues to make trouble, they will be banned, i.e., indefinitely excluded.
6. Moderators may choose at their discretion to un-ban the user if it was a first offense and they offer the offended party a genuine apology.
7. If a moderator bans someone and you think it was unjustified, please take it up with that moderator, or with a different moderator, in private. Complaints about bans in-channel are not allowed.
8. Moderators are held to a higher standard than other community members. If a moderator creates an inappropriate situation, they should expect less leeway than others.

The moderators will prioritize the well-being and comfort of the recipients of the violation over the comfort of the violator.

Please note that the intent of this Code of Conduct is to create the environment envisioned in our Community Commitment. As such, recurring individual behavior that does not run afoul of any specific policy here but which creates a harmfully toxic or notably unwelcome environment will be considered in overall violation: our policy is to give a single formal warning. It is not this community's responsibility to educate people on how to change their behavior going from there, but specific events might be pointed to. Note however, there will only be one warning. As a community we are committed to avoiding issues like "missing stairs" in regards to this.

Attribution

This Code of Conduct is based on the Rust Code of Conduct, which is adapted from the Node.js Policy on Trolling as well as the Contributor Covenant version 1.3; and also the WeAllJS Code of Conduct, which is itself based on Contributor Covenant version 1.4, and the LGBTQ in Technology Slack Code of Conduct.

Orogene Release Changelog

0.3.34 (2023-10-09)

This release is largely a series of attempts at making Orogene faster, most of which didn't have much of an effect. Properly supporting reflinks on DeDrive is nice, though.

Features

• reflink: bump reflink-copy to add support for reflinks on Windows Dev Drive (32c169c7)
• perf: be smarter about reflinks and mkdirp (581dda60)

Bug Fixes

• setup: fix issue with repeatedly being asked about telemetry (a0111278)
• perf: reduce number of syscalls a bit (3f005c1f)

0.3.33 (2023-10-02)

Features

• terminal: display indeterminate progress while orogene is running (d4f3e845)
• release: automatically bump official brew formula on release (deceec38)

Bug Fixes

• manifest: handle boolean bundledDependencies values (d6c16a44)
• fmt: cargo fmt --all (6fd8b279)
• bin: fix bin linking for the isolated linker and fix cmd shims (8b58caba)
• docs: fix broken links (e182ce76)
• terminal: don't print out terminal progress codes unless stderr is a terminal (1228ebea)

0.3.32 (2023-09-30)

Features

• dist: automatically publish to a homebrew tap (023ebcca)

Bug Fixes

• cache: cache recovery was working off JSON metadata, not new rkyv-based one (7c566287)
• unsafe: use safe version of method that verifies data. No perf impact noticeable (1a6b54ac)
• resolver: fix issue with aliases not being handled properly (85d31713)
• resolver: node paths should use their fs name (544639b7)
• resolver: go ahead and try to resolve if we just have a version (8d04d84b)

Documentation

• build: document build requirements (16391bec)

0.3.31 (2023-09-28)

Bug Fixes

• dist: temporarily allow-dirty and remove license stuff (#293) (39685826)

0.3.30 (2023-09-28)

Features

• docker: add Dockerfile to compile orogene in a rust-debian-bookworm container (#288) (10575974)
• auth: add registry authentication support (0513019f)
• login: add support for all auth types to oro login, including direct --token passing (cf709946)

Bug Fixes

• auth: glue login and authentication stuff, refactor, and make it all work (23cf1bc8)
• auth: don't send auth to non-registry URLs (e84a2576)
• misc: get rid of annoying default-features warnings (84f45865)

Documentation

• auth: Add authentication/authorization docs (7ee6a742)

0.3.29 (2023-09-27)

Features

• wasm: publish NPM packages for nassun and node-maintainer as part of release (f4f2ff22)

0.3.28 (2023-09-27)

Features

• proxy: support proxy configuration (#283) (87facfe4)
• login: Add oro login and oro logout commands (#290) (39b3c6bd)
• dist: bump cargo dist and add homebrew and msi artifacts (218392d0)
• retry: enable request retries on wasm, too (1f25aa33)
• wasm: nicer TS types (64d20dcc)

Bug Fixes

• proxy: thread proxy settings through and tweak a few things along the way (7d9b476e)
• site: modernize oranda config (427f672f)
• wasm: get things working on wasm again! (ec9e6e36)
• lib: fix readme/license fields in oro-npm-account (0842d2bf)

0.3.27 (2023-05-21)

Features

• xxhash: switch to xxhash, and always validate extraction (#274) (dfdb378c)

Bug Fixes

• reapply: stop erroring on reapply if node_modules doesn't exist (940333a9)
• node-maintainer: return a more useful error message when symlink/junction creation both fail on Windows (#270) (e254c393)

0.3.26 (2023-05-19)

Features

• scripts: run lifecycle scripts in correct dependency order (#263) (00979ae8)
• error: Add extra context to all std::io::Error messages (#268) (8749a526)

Bug Fixes

• resolver: PackageResolution::satisfies() should use the spec target (4f0fbba7)
• node-maintainer: stop failing when root package entry in lockfile is missing package name (b7ac680b)

0.3.25 (2023-05-10)

Bug Fixes

• fmt: cargo fmt --all (887c2576)
• telemetry: lower telemetry sample rate (ffbd6a88)

0.3.24 (2023-05-10)

Features

• optional: ignore install script failures for truly optional dependencies (09fcc77d)
• credentials: add support for parsing credentials (for later consumption) (59f0a11c)
• telemetry: implement opt-in crash and usage telemetry (#262) (8d5e1f59)

Bug Fixes

• apply: only update package.json on apply success (1e775ad0)
• wasm: missed a spot again with wasm (c4fcb328)
• wasm: again (b745c5bb)
• docs: add --credentials to command docs (24b60124)
• debug-log: stop printing ansi codes to debug log (3c1cd69f)
• bin: semi-preserve file modes and make binaries executable (#259) (f01ed09d)
• apply: fix regression where only hoisted linker was used (78f41202)
• misc: fix a couple of straggler warnings (594081f4)

Documentation

• readme: improvements to README (7b63b073)

0.3.23 (2023-04-18)

Bug Fixes

• docs: update docs after --lockfile addition (e1caff41)
• ping: fix emoji spacing (90038383)
• nassun: try and get rustdoc to show NassunError at the toplevel to play nicer with miette (e5638712)
• error: export orogene cmd error enum (b37e1167)
• wasm: get node-maintainer working on wasm again (b1f6bc82)

Miscellaneous Tasks

• deps: bump miette to 5.8.0 (e58c256e)
• deps: bump supports-hyperlinks for more terminal support (be5712e2)

0.3.22 (2023-04-18)

no-op due to release failure. Refer to 0.3.2 for actual release details.

0.3.21 (2023-04-18)

Bug Fixes

• release: update cargo-dist release thing properly (4a204a51)

0.3.20 (2023-04-18)

Features

• reapply: add reapply command and refactor apply to be reusable (#237) (bf6b1504)
• json: add module for format-preserving JSON manipulation (3fa23e46)
• add: add oro add command for adding new deps (7ed9f777)
• rm: add oro rm command (ec301bbf)
• git: support specifying semver ranges for git dependencies (#217) (56e05f5b)
• locked: add --locked mode support (ffce208f)
• docs: write up a section about adding dependencies + specifiers (e66936c4)
• errors: better docs and url(docsrs) for all errors (0629a080)

Bug Fixes

• metadata: add support for boolean deserialization for deprecated tag of version metadata (#235) (0505793a)
• common: handle deprecation booleans in registry response (#246) (8ae12196)
• resolve: stop lockfile from clobbering dependencies (#247) (b3af2ddd)
• log: log the 'debug log way written' message as WARN (dbcbe9cc)
• rm: warn/error when something other than a package name is provided (26b01328)
• error: fix PackageSpecError docs and help not printing (f8e8e27a)
• config: apply config options from subcommands, too (3c31caac)
• rm: more random rm fixes (1c733452)

Miscellaneous Tasks

• deps: bump h2 from 0.3.16 to 0.3.17 (#242) (8123013f)

0.3.19 (2023-04-10)

Features

• debug: Include errors in debug log when possible (9551239e)
• isolated: add support for isolated dependency installation (#226) (9da2e1e7)
• apply: rename restore to apply (82f7b623)

Bug Fixes

• binlink: properly normalize non-object bin names (aea368e9)
• resolve: use PackageSpec::target() for recursive alias support (bd884703)
• ci: how did this even happen (d77a915e)

0.3.18 (2023-04-07)

Features

• config: load options from env, too (ccfa812b)
• docs: More detailed configuration docs (6165e808)
• ping: emojify ping (a6627657)
• config: read config file options from options node (41b281ee)
• docs: show command aliases in docs (0dc70672)
• config: add support for nested arrays and maps to kdl configs (f5e71d0c)
• config: support for specifying scope registries (49c2190e)
• config: support for arrays, too (ef46e5aa)
• config: overhaul how scoped registries are provided (31c3ae74)

Bug Fixes

• view: remove stray dbg! (03f7a7dd)

0.3.17 (2023-04-03)

Bug Fixes

• log: go back to not displaying targets for terminal logs (5cb06a75)

Features

• config: add support for --no-<conf> and overhaul config fallbacks (868a42b5)
• config: config files are now kdl-based (09e81bd9)

0.3.16 (2023-04-01)

Bug Fixes

• deps: bump deps/miette/etc (b987939e)
• node-maintainer: improve api docs and remove some undesirable APIs in node-maintainer (2dea36c0)
• docs: update CLI docs (bd0d7fda)
• ci: add rust-versions and re-enable minimal version checks (b509cc20)

Features

• wasm: more wasm fixes + expose iteration functionality (#218) (03dce2e9)
• restore: allow configuring script concurrency and whether to write lockfiles (a681e64a)
• config: have OroLayerConfig obey #[arg(skip)] (fc5f53ae)

0.3.15 (2023-03-31)

Bug Fixes

• shim: fix .cmd shim targets (020d96cf)
• manifest: unshadow the actual output of BuildManifest::normalize (#216) (e5c8d4bb)

Features

• manifests: add a from_manifest method to BuildManifest and do some drive-by docs work (#213) (2e9c4f51)
• scripts: run lifecycle scripts (#209) (48392c3e)

0.3.14 (2023-03-26)

Features

• build: link bins (#212) (e8ed3ff5)

0.3.13 (2023-03-25)

Security

• deps: bump openssl from 0.10.45 to 0.10.48 (#211) (e87243c2)

0.3.12 (2023-03-25)

Features

• log: improved logging/output by changing levels and formatting (e1cafd0c)
• gitinfo: add a FromStr impl for GitInfo (308d9ab7)

Bug Fixes

• tests: Nassun baseline tests (#196) (58e76853)

0.3.11 (2023-03-19)

Most of this release was docs (which are available through the Orogene site!), but there's some emoji-related stuff fixed, too that might be handy.

Features

• msg: fasterthanlime is basically the lemonodor of rust, no? (fcc5a256)
• docs: initial mdbook setup and hookup to oranda (#205) (b66a66e0)
• emoji: add global flag to disable emoji display (bafbe802)

Bug Fixes

• emoji: don't print emoji when unicode isn't supported (e8a8af79)
• wasm: missed a couple of wasm spots after recent changes (0e4d8b03)
• git: use once_cell instead of mutexes for git cache path (5961dfbc)

0.3.10 (2023-03-13)

Features

• restore: improvements to restore command, and removal of resolve command (4e9940dd)
• restore: print timings in seconds (608d3f59)
• memory: significantly reduce memory use during resolution (#203) (f7fb85d6)
• hax: offer hackerish words of encouragement! (cf467da4)

Bug Fixes

• progress: only show one progress bar at a time (e36356c6)

0.3.9 (2023-03-12)

Features

• wasm: get nassun and node-maintainer working well in wasm (#131) (16ad5bae)
• validate: optionally validate cache contents during extraction (#197) (0e22a5f4)
• extract: remove existing modules as needed (d3303b00)
• prune: check for an prune extraneous packages, and skip extracting valid ones (#200) (544a2c5c)
• progress: refactored progress bar out of node-maintainer (#201) (e1908ad6)
• progresss: add flags to disable progress bars (f988a824)

Bug Fixes

• nassun: use cfg_attr to reduce duplication (f126d5ca)

0.3.8 (2023-03-09)

Bug Fixes

• reflink: move reflink checks up to node-maintainer (#195) (9506edc7)

Features

• log: write verbose trace to a separate debug logfile (#192) (8c995125)
• log: log a bit more detail about lack of reflink support (545dff0c)
• docs: add initial benchmark tables (2bbd2616)

0.3.6 (2023-03-07)

Features

• cow: prefer CoW on systems that support it. Also, fall back to copy when hard links fail. (0e29632a)

0.3.5 (2023-03-06)

Bug Fixes

• tests: remove debug leftover (#190) (45ab7738)
• extract: need to rewind NamedTempFile before extraction (eb8c0af5)

0.3.4 (2023-03-06)

Bug Fixes

• error: make IoErrors during extraction less vague (318fd2d2)

0.3.3 (2023-03-06)

Bug Fixes

• progress: extraction should be based on node count (minus root node) (088da295)
• extract: extract_to should only be available on non-wasm (f8792adc)

Features

• deprecated: Warn when resolving npm packages marked as deprecated (#184) (45a953b0)
• maintainer: export iterator over graph modules (#187) (fa109bf4)
• maintainer: s/parallelism/concurrency/g (17e1fb49)
• modules: wrap iterator in its own type (ee99bee4)
• extraction: add support for faster, cached extraction (#191) (5bf0425b)

0.2.1 (2023-02-26)

No changes. Just getting the release system working.

0.2.0 (2023-02-26)

This is an initial "release" mostly to make sure the release workflow is all working, and just to get the current prototype out there and available for people to poke at.

Features

• cli: Add resolve & link progress bars (#145) (dd4c6ca2)